The Police Bill currently making its way through parliament includes long awaited changes to the Computer Misuse Act.
Lilian Edwards is not convinced the amendments will be effective since the bill fails to define what "unauthorised" is in the context of "an unauthorised act in relation to a computer." She's also concerned that section 3A of the bill could have a detrimental effect on security research.
"Less ballyhooed but also of interest is the new section 3A added by the 2006 Bill which is extracted below:
“3A Making, supplying or obtaining articles for use in offence under
section 1 or 3(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) knowing that it is designed or adapted for use in the course of
or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission
of, an offence under section 1 or 3."
This probably criminalises the making and selling of virus and DDOS toolkits, something I have wondered about in the past. What if you write a virus-making toolkit to learn about viruses and virus-spreaders so you can be a better security expert? (a) may still catch you. I would have felt happier if the new offense was restricted to the (b) branch, or if the "or" was an "and"."